Web Application Firewall (WAF) provides security reports that display the protection records of each protection module. The protection records cover the web security, bot management, and access control and throttling on domain names that WAF protects. These records allow you to analyze business security.

Prerequisites

  • Your website is added to the WAF console. For more information, see Add websites.
  • Your websites are protected by WAF.

    After you add a domain name to WAF, the RegEx Protection Engine and HTTP Flood Protection features are enabled by default. You need to manually enable other features. For more information, see Overview.

Access the security report page

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, click Security report.
  4. On the Security report page, click one of the following tabs to view the required reports: Web Security, Bot Management, and Access Control/Throttling.

Web Security tab

The Web Security tab displays protection records about features, such as Web Intrusion Prevention, Data Leakage Prevention, Account Security, Positive Security Model, and API Request Security. You can click a tab to view the protection records about a specific feature.
Note
  • Subscription WAF instances of the Pro edition deployed in mainland China do not support API Request Security.
  • Subscription WAF instances of the Pro edition deployed outside mainland China do not support API Request Security and Positive Security Model.
  • Web Intrusion Prevention: displays all web application attacks blocked by WAF. This tab consists of two parts: attack statistics (part 1 in the following figure) and attack details (part 2 in the following figure). You can specify a domain name and time period to search for corresponding data.Web application attacks
    • The attack statistics part includes Security attack type distribution, Top 5 attack source ips, and Top 5 attack source regions.
    • The attack details part displays the following information: Attack IP, Region, Time Attacked, Attack Type, Attacked URL, Method, Parameter, Rule Action, Rule ID, and Attack Probability.
      You can specify the following information to search for the records that you want to view:
      • Protection feature: Regular Protection and Deep learning
      • Attack type: SQL injection, XSS, Code execution, CRLF, Local file inclusion, Remote file inclusion, webshell, CSRF, and Other
      • Attack IP address
      • Protection rule ID

      You can find a record and click View Details in the Actions column to access the Attack Detail panel.

      Attack details
    For more information about how to configure web intrusion prevention, see the following topics:
  • Data Leakage Prevention: displays the records of web requests that trigger data leak prevention rules. The following information is provided: Attack IP, Region, Time Attacked, Attacked URL, Method, Parameter, Rule Action, Rule ID, and Attack Probability. You can specify a domain name and time period to search for corresponding data.

    You can find a record and click View Details in the Actions column to access the Attack Detail panel.

    For more information about how to configure data leak prevention, see Configure data leakage prevention.

  • Account Security: displays the records of risk events that occurred at the endpoints configured for account security. The following information is provided: Domain, Endpoint, Malicious Requests Occurred During, Blocked Requests/Total Requests, and Alert Triggered By. You can specify a domain name, endpoint, and time period to search for corresponding data.

    For more information about how to configure account security, see Configure account security.

  • Positive Security Model: displays the records of web application attacks that trigger positive security model rules. The rules are automatically generated. The following information is provided: Attack IP, Region, Time Attacked, Attacked URL, Method, Rule Action, Rule ID, and Attack Probability. You can specify a domain name and time period to search for corresponding data.

    You can find a record and click View Details in the Actions column to access the Attack Detail panel.

    For more information about how to configure positive security models, see Configure the positive security model.

  • API Request Security: displays the records of API security alerts. The following information is provided: ID, URL, Attack IP, Region, Time Attacked, and Protective Action. You can specify a domain name and time period to search for corresponding data.

    For more information about how to configure API request security, see Enable API request security.

Bot Management tab

The Bot Management tab displays the monitoring data of crawler requests of websites. This tab consists of two sections: Data Trends and Real-time Monitoring in Last 10 Minutes. You can specify a domain name and time period to search for corresponding data.Bot Management tab
  • Data Trends: provides the Overview and Interception Analysis tabs. The Overview tab displays the trend chart of total requests and crawler requests that trigger the protection rules under different protection features. The Interception Analysis tab displays the trend chart of total requests and blocked requests.
  • Real-time Monitoring in Last 10 Minutes: displays the records of crawler requests that trigger the protection rules under different protection features in the last 10 minutes.
For more information about how to configure bot management, see the following topics:

Access Control/Throttling tab

The Access Control/Throttling tab displays the records of web requests that trigger the protection rules under the following protection features: HTTP Flood Protection, Scan Protection, and Access Control. You can specify a domain and time period to search for corresponding data. You can also query data-related logs with a few clicks
  • HTTP Flood Protection: displays the trend of HTTP flood protection. The following information is provided: Total QPS, Alerts on Custom Rule Hit, Blocking on Custom Rule Hit, and Blocking on System Rule Hit. This tab also displays No. of matches for different types of rules. Valid values of Rule Type are Alerts on Custom Rule Hit, Blocking on Custom Rule Hit, and Blocking on System Rule Hit).HTTP Flood Protection tab
    You can click the value of No. of matches for a rule type to go to the Log Service page. The system automatically provides the log query statements related to HTTP flood protection on this page to facilitate log query. For more information, see Enable log query.HTTP flood protection logs

    For more information about how to configure HTTP flood protection, see Configure HTTP flood protection.

    For more information about how to customize HTTP flood protection rules, see Create a custom protection policy.

  • Scan Protection: displays the trend of scan protection. The following information is provided: Total QPS, Directory Traversal Protection, Collaborative Protection, High-frequency Web Attack Protection, and Scan Tool-based Blocking. This tab also displays No. of matches for different types of rules. Valid values of Rule Type are Directory Traversal Protection, Collaborative Protection, High-frequency Web Attack Protection, and Scan Tool-based Blocking).Scan protection
    You can click the value of No. of matches for a rule type to go to the Log Service page. The system automatically provides the log query statements related to scan protection on this page to facilitate log query. For more information, see Enable log query.Scan protection logs

    For more information about how to configure scan protection, see Configure scan protection.

  • Access Control: displays the trend of access control. The following information is provided: Total QPS, Blocking by ACL Policy, Alerts by ACL Policy, and Blocking by Blacklisting. This tab also displays the number of matches for custom rules.ACL

    You can click the ID of a custom rule to view and modify the configurations of this rule in the Edit Rule dialog box. For more information, see Create a custom protection policy.

    You can click the value of No. of matches for a custom rule to go to the Log Service page. The system automatically provides the log query statements related to access control on this page to facilitate log query. For more information, see Enable log query.Log Service page

    For more information about how to configure access control, see Create a custom protection policy.

    For more information about how to configure an IP address blacklist, see Configure the IP address blacklist.